The General Data Protection Regulation (GDPR) is designed to ensure that the personal data of EU citizens is safeguarded – no matter where in the world it is processed. With this in mind, the GDPR generally prohibits the transfer of personal data outside the EEA, apart from to those countries deemed to have adequate data protection laws in place.
Only very few countries are deemed to have “adequate” data protection laws and currently the United States is not included on that list. This is where the Privacy Shield comes in – an agreement between the EU and the US that sets out certain minimum standards in relation to data processing.
On a practical level, US companies that participate in the Privacy Shield framework and comply with its requirements are able to show that their data protection procedures are robust enough to do business in the EU. As such, signing up to (and complying with) this voluntary scheme can be a useful gateway towards achieving GDPR compliance.
That said, the GDPR brings into force a wide range of requirements on businesses, many of which go over and above the basic protection principles set out under the Privacy Shield. Signing up to the Privacy Shield is not an automatic passport to full GDPR compliance for US companies.
Here, we’ll take a closer look at how the GDPR and The Privacy Shield work together and at what you need to do to ensure full compliance with EU privacy law.
The Privacy Shield – what is it for and how does it work?
From small retailers through to huge social media platforms, EU lawmakers know that its citizens want to do business with organisations located across the globe (including the US). Unless those companies have a substantial physical presence in Europe (an order processing centre, for instance), providing a service will almost always involve transferring personal data outside the EU.
At the same time, lawmakers want to ensure that individuals get basically the same level of protection regardless of where their personal data is processed and that they have enforceable rights if an organisation breaches its responsibilities. As such, and much like the Data Protection Directive that was previously in force, the GDPR stipulates that personal data may only be transferred out of the EEA if certain conditions are met.
There are alternatives to The Privacy Shield for non-EU organisations which may be important for US organisations that aren’t eligible to participate in The Privacy Shield:
- Binding Corporate Rules (BCR) – especially relevant to large companies with a number of subsidiaries, the use of BCR involves drawing up a very detailed code of conduct detailing how personal data are going to be processed within an organisation. To be valid, BCR have to be pre-approved by a European data regulator (e.g. the ICO in the UK or CNIL in France).
- ‘Model clauses’ – these are available to some non-EU organisations where that organisation is either a controller or processor receiving personal data from an EU controller. The clauses are in a specified format which can’t be negotiated. They are not available where the non EU organisation is a controller receiving the personal data directly from the data subject themselves.
Model clauses are convenient but do not provide the same badge of trust as The Privacy Shield. BCR are expensive and cumbersome compared to The Privacy Shield framework which offers US companies a more convenient and less “admin-heavy” method of transferring personal data out of the EU in a lawful manner. Here are some of its key features:
- It is a voluntary arrangement and to make use of it, organisations need to sign up via the US Department of Commerce. You can read more about the process, including full eligibility details, in this official guide.
- To participate in the scheme, organisations must put in place “robust mechanisms” to ensure that the principles set out under the Privacy Shield are adhered to. These principles cover information to be provided to data subjects, data minimisation, preventing unlawful use, security, safe transfer, the right to access and the right to complain.
- There is a sliding-scale range of fees for participation (these are determined by the size of the company).
- A Privacy Shield sign-up needs to be renewed annually to remain valid. While an organisation is registered, its name appears on the Department of Commerce list of Privacy Shield participants. In itself, this can be a reassuring sign to other organisations that an organisation is a safe pair of hands when it comes to personal data.
- Once a valid Privacy Shield certification in place, an organisation may transfer and process the personal data of EU citizens without the need for pre-approval from an EU regulator.
The foundational Privacy Shield principles align broadly with the seven core GDPR principles (you can read more about these here). But at the same time, you need to keep on top of those key GDPR requirements that fall outside the scope of The Privacy Shield.
These additional areas include the following:
Data access, erasure and portability
Privacy Shield participants are required to grant data subjects access to their personal data on request and to do so within a “reasonable” timeframe. The GDPR is more detailed in its requirements in this area, stipulating that requests generally ought to be dealt with within “no later than 30 days” of receipt of the request.
The GDPR also establishes new rights to erasure and portability that are not explicitly covered under The Privacy Shield. These establish the fact that if certain conditions are met, data subjects may request that personal data be deleted or transferred directly to the data subject or a third party. US organisations need to ensure they have procedures in place to assess the legitimacy of and facilitate such requests.
Ensuring data security and privacy
Mirroring the language of the GDPR, The Privacy Shield stipulates that companies must secure data against loss, misuse, unauthorised access, disclosure, alteration or destruction, taking into account the nature of the personal data and the risks faced.
The GDPR is more descriptive, stipulating that the twin principles of Privacy by Default and Design are applied to any new data processing activity you introduce. Linked to this is the need to carry out Privacy Impact Assessments for new activities, whereby privacy issues are identified at the design stage and suitable safeguarding measures are adopted – right from the outset. All of this has to be documented.
If you adhere to the Privacy Shield obligations concerning data subjects’ ‘right to be informed’, it should help you stay on top of your GDPR obligations concerning lawfulness, fairness transparency. But especially when it comes to privacy notices, you should look carefully at what the GDPR specifies ought to be included.
And if you are relying on the basis of data subject consent for processing activities, make sure you understand and implement the procedures required under the GDPR for securing this consent (i.e. it should be freely given, easily understood and capable of being withdrawn easily).
General data governance obligations
Most US companies that do not have a physical presence in the EU will need to nominate an EU representative – and this includes those companies that sign up to The Privacy Shield. The representative is essentially your company’s go-between for dealing with supervisory authorities. Our guide for US companies provides further information on this.
Recently, members of The European Parliament have questioned the effectiveness of The Privacy Shield, amid suggestions that US authorities are failing to police it adequately. Its provisions are subject to annual review by the European Commission and US Department of Commerce, so businesses shouldn’t be surprised if a new version arrives in the near future.
This speculation surrounding The Privacy Shield also highlights the fact that compliance isn’t a ‘one-off’ event; businesses need to be constantly vigilant of changes to the law to ensure they stay on top of their obligations.
For many US companies, applying for Privacy Shield certification is a useful first step in achieving compliance. Beyond this, The Privacy Compliance Hub offers a complete framework for meeting your obligations under EU data protection law. To see how it can help your business, take a look at our demo, or get in contact for a chat today.